Pages

Sunday, December 30, 2012

Share your i-net safely

Share your internet safely with your friends & neighbors

Background: If you have a wired & wireless LAN (your primary network) and would like to share your bandwith with your guests & neighbors safely, you can do so by setting up a secondary wireless network. This document shows how to do that with a Buffalo WZR-300HP.

This is a short HOW-TO for WZR-300HP. For a full explanation, consult the DD-WRT wiki for detailed instructions & description for setting up multiple Wireless LANs (WLANs) on DD-WRT based routers.My Buffalo WZR-300HP came pre-loaded with DD-WRT software, v24SP2-MULTI (07/09/12) std, build 19438.I have shared my bandwidth using multiple SSIDs in the past using older Buffalo & Linksys routers. However, the specific steps involved change a little depending on the build of DD-WRT & the type and version of the router, hence this document.If your router model or DD-WRT version (build) are different from mine, your-mileage-may-vary.The steps are :

Create a new wireless Virtual Interface (WLAN / SSID)

Create a new bridge & assign the new Virtual Interface to the new bridge

Add a DHCP server to the new bridge

Add firewall commands to allow traffic on the new wireless network

Apply QoS & traffic shaping to the new SSID

Step 1: Create a new wireless Virtual Interface (WLAN / SSID)Open the Wireless TAB on your dd-wrt web interface, then under Basic Settings add a new Virtual Interface. The new Virtual Interface will use the same wifi channel as your Wireless Physical Interface.Click Apply Settings, see a screen shot of Step 1 below.

Step 2: Create a new bridge & assign the new Virtual Interface to the new bridge

Next go to the Setup tab, under Networking create a new bridge (br1) by clicking Add. Then assign the new WLAN (ath0.1) to the new bridge (br1). You may need to Apply Settings after creating the new bridge before assigning the WLAN to it.

Click Apply Settings, see a screen shot of Step 2 below.

Step 3: Add a DHCP server to the new bridgeUnder the same tab, add a new DHCP server and assign it to the new bridge (br1). The wireless clients on the new WLAN will receive IP addresses from this DHCP server. Choose a different subnet for this network. Eg. if your primary LAN & WLAN use 192.168.1.x use a different set of first three numbers, say 192.168.10 or 10.11.12 etc.Click Apply Settings, see a screen shot of Step 3 below.

Step 4: Add firewall commands to allow traffic on the new wireless network

So we have a new WLAN for secondary (public/guest) access, wireless clients can connect to it and receive an IP address assignment. but their network traffic has to be directed properly, just two firewall commands is all it takes to direct traffic from the new WLAN.The two traffic rules applied here are (1) Allow all traffic from new WLAN (2) Reject all traffic from new WLAN to the primary LAN & WLAN. The firewall rule entries are : iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT iptables -I FORWARD -i br1 -o br0 -m state --state NEW -j DROPSince the DD-WRT build # on my Buffalo is above 17000, the DD-WRT wiki indicates that an additional firewall rule must be added at the beginning to fix a bug. If & when DD-WRT fixes this bug, the first rule may no longer be needed. If you need to further restrict access on your new WLAN, refer to the wiki for additional rules.Go to the Administration tab, open Commands tab underneath and copy-paste the following three rules into the Commands box and click Save Firewall. See screen shot below the rules. iptables -t nat -I POSTROUTING -o `get_wanface` -j SNAT --to `nvram get wan_ipaddr`

QoS (quality of service) allows you to prioritize some of the traffic over other traffic. For eg. traffic from my VoIP phone or google-talk video chat should receive a higher priority than my web surfing because I would like to talk on the phone or video chat with minimal delay.Traffic shaping allows you to limit clients from eating up all available bandwidth.Go to the NAT/QoS tab and open the QoS tab underneath. Enable Start QoS, then set the appropriate parameters for Uplink & Downlink based on your connection limits. Then scroll down to the Netmask Priority section, add each of your subnets, and set appropriate limits to WAN Max Up, WAN Max Down & LAN Max sections. Then click on the Priority pull down list and choose between - Exempt, Premium, Express, Standard & Bulk - for each subnet.The kBits limits give you traffic shaping, while the Priority setting gives you QoS.Be sure to Apply Settings, and perhaps reboot the router by going to the Administration tab, then click on Management tab, & click Reboot Router.

You can view all of your wired & wireless clients, from multiple WLANs under the Status tab under the LAN tab.

8 comments:

I just didnt understand at the end how to configure the QoS. My main network is 192.168.1.x and my guest is 10.11.12.x as you suggested. What should I put in IP/mask... I put .0/24 as in your example, but I tested the guest network and I'm downloading at full speed, which should have been half....

I too have not had much success with traffic shaping using DD-WRT, similar results have been reported by others.This YouTube video shows you how to shape traffic with dd-wrt in a limited context http://youtu.be/EjCb5P302Ms

Thank you very much for the great guide. It is great to have a step-by-step specifically for the buffalo users!Because I live in city center I have to / want to add a password to the guest network - otherwise the Starbucks guest downstairs all use my WiFi - would be too great ;-) So additionally to your description I added a personal wpa2 with tkip+aes. The problem is that I cannot connect to the guest network. I always receive an authentication error. Do you have any idea what might be the reason? I tried different ssid names (without special characters) and also simple passwords.

Hi Paul, I would try an incremental approach to try & isolate the problem. First turn off all security, see if you can connect to the guest network. If connecting to the unsecured guest network works fine, enable security using WEP. If connecting to WEP works fine then try WPA.

Hi BajiI figured after a few attempts that your guide shows STP switched off for the new bride br1 as well as for br0. Other guides showthat setting as 'on' (which is the standard setting). Even tthough I have no clue what it means or does - changing it to 'off' solved ,y problem. Now it's working!So that no you onemore for the guide sand the help!P.S. I got stuck another time when I entered the commands in the command window,but saved them as custom scrip and not ad firewall. Needless to say that it didn't work then to access the internet or anythingg else. Just in case somebody else get that problem: make sure to save the ccommand as 'firewall'

Paul,Glad to hear that you got it working. STP stands for spanning tree protocol which is a packet scheduling algorithm. More about STP can be found here : http://en.wikipedia.org/wiki/Spanning_Tree_Protocolthanks !-baji.